phosra_test_ key and read an enforcement verdict — with screenshots
captured from the running dashboard, then shows the exact API calls behind each screen so you
can script them.
Two ways to do everything. Every action in the console maps to a plain HTTP call. The
screenshots below show the point-and-click path; the code blocks show the same result against
the open sandbox at
https://phosra-api-sandbox-production.up.railway.app — no key, nothing
to install. Swap the base URL for https://prodapi.phosra.com/api/v1 and add your minted key to
go to production.1 — Mint a phosra_test_ key
In the console, open Developers → API Keys and press Create Key. Give the key a name,
keep Environment on Test (test keys only ever touch sandbox data), and tick the scopes
it needs. On save, the console shows the full secret exactly once — copy it now; it is never
displayed again.

test badge, truncated prefix, scope count, and
last-used time. You can revoke it here at any time; revoked keys stop authenticating immediately.

Test vs. live. A test key mints the
phosra_test_… prefix and is scoped to sandbox
data. A live key mints phosra_live_… and reaches production. The two are interchangeable in
every request — only the base URL and the key change. See
Authentication for the full bearer-key model.The same key, from the API
Prefer to script it? The control-plane mint returns the secret in the201 body — the one and
only time it is exposed:
201 Created — the secret appears once
2 — Set up a child to enforce against
Enforcement needs something to enforce: a child with an active policy, and at least one verified platform to push it to. The console’s Quick Setup does the first half in one screen; here is the same call. Every response below is verbatim live output from the sandbox.Live sandbox response (trimmed, 200 OK)
3 — Enforce, then read the verdict
Push the policy for the child. Enforcement is asynchronous — the call returns a job (202 Accepted) that resolves to a per-platform verdict:

GET /enforcement/jobs/{id}/results → 200
Why “Partial” and not “Enforced”? A verdict reflects what the target platform actually
accepted.
apple is a device platform: most rules are queued for on-device sync, and a rule
the platform can’t represent is reported as rules_failed rather than silently dropped — so the
job settles as partial, not completed. That honesty is the point: the verdict tells you
exactly how many rules landed. A dns platform that applies every rule server-side settles as
completed / Enforced. See Enforcement for the mode-by-mode model
and Platforms & enforcement modes for which platforms do what.Next steps
Create your account & get keys
The self-serve funnel from zero to a
phosra_test_ key.Authentication
Bearer keys vs. DID signatures — when each applies.
Enforcement
Jobs, verdicts, and the
dns / device / manual_attested modes.Errors
Every error
code and class the API can return.